social authentication
play

Social Authentication: Vulnerabilities, Mitigations, and Redesign - PowerPoint PPT Presentation

Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014 November 21 2 About 2013 - M.Sc. in Engineering of Computing Systems @ Computer Security Group This talk is based on my M.Sc. Thesis


  1. Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014 November 21

  2. 2 About 2013 - M.Sc. in Engineering of Computing Systems @ • Computer Security Group • This talk is based on my M.Sc. Thesis • 2013 - Researcher @ • Security Research • Vulnerability Assessment & Penetration Testing • Web Applications & Mobile Security • @lancinimarco • Marco Lancini

  3. 3 Online Social Networks Huge user base • Massive amount of personal information • Widespread adoption of single sign-on services • Appealing targets for online crime • Identity theft • Spamming • Phishing • Selling stolen credit cards numbers Selling compromised accounts • 97% of malicious accounts are compromised, not fake • Marco Lancini

  4. 4 Keeping Stolen Accounts Safe TWO-FACTOR AUTHENTICATION • Knowledge factor: “something the user KNOWS ” ( password) • Possession factor: “something the user HAS ” (hardware token) • Adopted by high-value services (online banking, Google services) • Pro • Prevent adversaries from compromising accounts using stolen credentials • The risk of an adversary acquiring both is very low • Drawbacks (token) Drawbacks (SMS) • • Inconvenient for users Sent in plain text • • Costly deploy Can be intercepted & forwarded • • Phones easily lost and stolen • Marco Lancini

  5. 5 Social Authentication Challenge = balance strong security with usability • Social Authentication • 2FA scheme that tests the user’s personal social knowledge • • only the intended user is likely to be able to answer Using a “ social CAPTCHA ” • • one or more challenge questions based on information available in the social network (user’s activities and/or connections) Eliminates the key issues of traditional CAPTCHAs • • (at times) incredibly hard to decipher • vulnerable to human hackers (only meant to defend against attacks by computers) • “ CAPTCHA farming ” Marco Lancini

  6. 6 FACEBOOK’S SOCIAL AUTHENTICATION Marco Lancini

  7. 7 Social Authentication (SA) Two-factor authentication scheme • Tests the user’s personal social knowledge • 2 nd factor: • “something the user HAS ” (hardware token) “something the user KNOWS ” ( FRIEND ) User’s credentials authentic only if he can correctly identify his friends • The user can recognize his friends whereas a stranger cannot • Attackers halfway across the world might know a user’s password, but they don’t know who his friends are Triggering: When login considered suspicious • Marco Lancini

  8. 8 How It Works 7 challenges • Each challenge (page) • 3 photos of a friend • 6 possible answers (“ suggestions ”) • User has to correctly answer 5 challenges (2 errors/skips) • Within the 5 minutes time limit • Marco Lancini

  9. 9 Threat Model Friend = anyone inside a user’s online social circle • Has access to information used by the SA mechanism • SA considered • Safe against adversaries that • • Have stolen credentials • Are strangers (not members of the victim’s social circle) Not safe against • • Close friends • Family • Any tightly connected network (university) • Any member has enough information to solve the SA for any other user in the circle Marco Lancini

  10. 10 VULNERABILITY ASSESSMENT OF SA Marco Lancini

  11. 11 SA Photo Selection “Are photos randomly selected?” 2,667 photos from real SA tests 84% containing faces in manual inspection • 80% in automatic inspection by software • 3,486 random Facebook photos (from our dataset of 16M) 69% contained faces in manual inspection • The baseline number of faces per photo is lower in general than in the • photos found in SA tests Face detection procedures used for selecting photos with faces • Marco Lancini

  12. 12 Motivation 84% are photos with faces • SA solvable by humans 80% are photos with faces that can be detected by face-detection software • Can a stranger bypass SA in an automated manner? • position himself inside the victim’s social circle • gaining the information necessary to defeat the SA Marco Lancini

  13. 13 Attacker Models CASUAL ATTACKER • Interested in compromising the greatest possible number of accounts • Collects publicly available data • May lack some information • DETERMINED ATTACKER • Focused on a particular target • Penetrates victim’s social circle • Collect as much private data as possible • Marco Lancini

  14. 15 Attack Surface Estimation – Friends Attack tree to estimate the vulnerable FB population Marco Lancini

  15. 16 Attack Surface Estimation – Photos Attack tree to estimate the vulnerable FB population Marco Lancini

  16. 17 Attack Surface Estimation – Tags Attack tree to estimate the vulnerable FB population Marco Lancini

  17. 19 Automated Attack - 1 Preparatory Phase (offline) 1. Crawling Friend List Marco Lancini

  18. 20 Automated Attack – 2 Preparatory Phase (offline) 1. Crawling Friend List 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  Marco Lancini

  19. 21 Automated Attack – 3 Preparatory Phase (offline) 1. Crawling Friend List 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  3. Photo Collection (public/private) Marco Lancini

  20. 22 Automated Attack – 4 Preparatory Phase (offline) 1. Crawling Friend List 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  3. Photo Collection (public/private) 4. Modeling Face Extraction and Tag Matching  Facial Modeling and Training  Marco Lancini

  21. 23 Automated Attack – 5 Preparatory Phase (offline) Execution Step (real-time) 1. Crawling Friend List 5. Name Lookup 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  3. Photo Collection (public/private) 4. Modeling Face Extraction and Tag Matching  Facial Modeling and Training  Marco Lancini

  22. 24 Experimental Evaluation We collect data as Casual Attackers (publicly available data) • We have not compromised or damaged any user account • 236,752 users 167,359 - 71% PUBLIC • 69,393 - 29% keep private albums • 38% ( 11% of total) SEMI-PUBLIC • 62% ( 18% of toal) PRIVATE • Summary of the collected dataset CASUAL ATTACKER experiment • DETERMINED ATTACKER experiment • Marco Lancini

  23. 25 Casual Attacker – Experiment Used our fake accounts as “victims” • Automated SA triggering through ToR • Geographic dispersion of its exit nodes • Appear to be logging in from remote locations • Face recognition: cloud service (face.com) • Exposes REST API to developers • Superior accuracy • Testing dataset • 127 real SA tests collected • Training dataset • From our dataset, we extracted information • of the 1,131 distinct UIDs that are friends with the fake profiles Marco Lancini

  24. 26 Casual Attacker – Accuracy Manual verification 22% solved (28/127) • 56% need 1-2 guesses • (71/127) 78% in which Tests defeated or • Obtained a significant advantage • Failed photos 25% no face in photo • Solved SA pages out of the collected samples • hard also for humans 50% unrecogn . face • ~44 seconds to solve a complete test << 300 seconds • poor quality photos 25% no face model found • Marco Lancini

  25. 27 Determined Attacker – Experiment Used simulation • As only public data was used • Selected users with enough photos • Face recognition: custom implementation (OpenCV) • Evaluate the accuracy and efficiency of our attack • Define number of faces per user needed to train a • classifier to successfully solve the SA tests Cons • • Lower accuracy • Computational power required Simulate SA tests from public photos • Train system with K = 10, 20, …, 120 faces per friend • Generate 30 simulated SA tests from photos not used for training • Marco Lancini

  26. 28 Determined Attacker – Accuracy Always successful • even when a scarce number of faces is available • K > 100 ensures a more robust outcome Faces Min Success Rate Solved SA pages as a function of the size of the training set 30 42% 90 57% 120 100% Marco Lancini

  27. 29 Determined Attacker – Efficiency Efficient time required for both • “on the fly” training and testing remains within the 5-minute timeout Time required to lookup photos as a function of solved pages Max Time Required Min Success Rate 100s 42% 140s 57% 150s < 300s 100% Marco Lancini

  28. 30 Facebook’s Response We informed Facebook • Acknowledged our results • But • Deployed SA to raise the bar in large-scale phishing attacks • Not designed for small-scale or targeted attacks • Marco Lancini

  29. 31 REDESIGN Marco Lancini

Recommend


More recommend